I know from experience that Cisco Type 7 passwords are easily decoded and using the tool in Kali to decrypt these passwords (don’t recall the executable name, “ciscodecrypt7” or something similar) I was able to obtain the passwords:

flag:lambSkinCoat
cisco
mossyoakcamo
pirateslife4me
time2seethebirds

Everything but “cisco” were good for points. Still not satisfied that I had obtained all the points there were to be had on this router, I kept poking at it hoping it would deliver more. However, after spending too long trying every Cisco exploit I could think of (or Google), I arrived to the conclusion this may be all there is.

Recognizing that “dave_k” was the highest privileged user on the router, I logged out and back in as him but subsequent “show run” commands didn’t reveal any additional information. I also tried to pull any information out of the router where another flag might possibly be hidden such as “show version” or “show tech” but didn’t find anything.

I really needed “privilege 15” level credentials to have “root” on the router to really get at the rest of it and after spending too much time messing with it I came to the realization that if I had root on the router, I could effectively do ANYTHING to it including wiping it’s configuration — preventing others access to these flags. Surmising this was probably not part of the event, I gave up.